How to strengthen Mysql database server Security?

Question

1. If we were to use server1 for all files (file server), server2 for mysql database (database server). In order for websites in server1 to access to the database in server2, isn't it needed to connect to to ip address of second (mysql server) ?

In this case, is remote mysql connection.

However, I seen from some people comment on the security issue.

remote access to MySQL is not very secure. When your remote computer first connects to your MySQL database, the password is encrypted before being transmitted over the Internet. But after that, all data is passed as unencrypted "plain text". If someone was able to view your connection data (such as a "hacker" capturing data from an unencrypted WiFi connection you're using), that person would be able to view part or all of your database.

So I just wondering ways to secure it?

1. Allow remote mysql access from server1 by allowing the static ip adress
2. allow remote access from server 1 by setting port allowed to connect to 3306
3. change 3306 to other port?

Any advice?

Answer 1

1) Connect to MySQL over SSL. This will protect your username/password as well as data that is being transferred. Another option is to use a vpn which is better suited if you have multiple machines or daemons that need to be shared.

2)Do not Allow remote root logins. At the very least disable the "root" account becuase this is the first thing an attacker is going to try and brute force.

3)Restrict ip addresses of the user accounts you are using.

4) Remove file_priv from all accounts. If granted this will allow an attacker to read and write files on the server hosting mysql.